The standard was created to help companies that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. It applies to all organizations that hold, process, or exchange cardholder information. Validation of compliance can be performed either internally or externally, depending on the volume of card transactions, but regardless of size, compliance must be assessed annually.

From an encryption standpoint, PCI does not provide much guidance. The basic requirement is to use "strong cryptography," but there are lots of algorithms, dozens of tools, and many ways to deploy each of them. Strong cryptography is often misapplied as the security model is inappropriate for the business use case. The wrong choice leaves data accessible in clear text, resulting in wasted investment and persistent vulnerabilities.

So which encryption method is the best way to achieve PCI encryption compliance? Which options provide security yet keep costs and complexity under control? Data Encryption 101: Pragmatic Guide to PCI-DSS Requirements, is an unbiased, educational white paper intended to help you determine the right encryption compliance strategy for your situation.

The white paper makes a strong case for implementing application level encryption when the business case justifies it. That’s one of many ways EncryptRIGHT® can help you achieve PCI compliance for data encryption and key management.

Six of the 12 PCI security requirements address encryption and key management, and EncryptRIGHT helps you comply with all six (in bold below):

Install and maintain a firewall configuration to protect cardholder data.

Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect stored cardholder data.

Encrypt transmission of cardholder data across open, public networks.

Use and regularly update anti-virus software.

Develop and maintain secure systems and applications.

Restrict access to cardholder data by business need-to-know.

Assign a unique ID to each person with computer access.

Restrict physical access to cardholder data.

Track and monitor all access to network resources and cardholder data.

Regularly test security systems and processes.

Maintain a policy that addresses information security.

The other requirements relate to policies, procedures and network architecture. This page presents a requirement-by-requirement evaluation of how EncryptRIGHT meets PCI encryption and key management requirements. For additional practical information about PCI DSS try the PCI Security Standards Council website.